WLC5508 TACACS communication from the wrong interface/IP

- I have one management interface (IP Y.Y.Y.Y) which acts also for AP management on VLAN 200.

- A couple of other dynamic interfaces one of the untagged with IP X.X.X.X .

- My AAA (TACACS/RADIUS) servers are on this untagged VLAN (IPs in the subnet X.X.X.0 )

User authentication is working fine, the WLC communicates with the AAA servers just fine for user authentication, but I noticed that using the same servers for management authentication doesn't work with an error from the WLC side that the servers are unavailable.

After some sniffing I've seen that the WLC tries to contact the AAA servers over the management interface (VLAN 200) BUT using the X.X.X.X IP and not the Y.Y.Y.Y IP ! Of course this will go nowhere!

This is quite a strange behaviour as I understand, I would expect the controller to either use the management interface using the Y.Y.Y.Y IP to reach the AAA servers or use the dynamic interface with the X.X.X.X IP, but no this mixed thing especially since this only happens for management authentication while user authentication works.

" It is important to avoid configuring a dynamic interface in the same sub network as a server that has to be reachable by the controller CPU, for example a RADIUS server, as it might cause asymmetric routing issues."

this is the second blurb below the CPU initated traffic.

As I said, it shouldn't be working for user auth either. If the WLC has a dynamic interface in the same subnet as a server, it uses that interface to initiate traffic, instead of the management interface. So unless you configured the RADIUS portion with the dynamic interface IP, and issued config network-mgmt-via-dynamic-interface enable, the WLC should drop any request from the server on the dynamic interface.

" It is important to avoid configuring a dynamic interface in the same sub network as a server that has to be reachable by the controller CPU, for example a RADIUS server, as it might cause asymmetric routing issues."

this is the second blurb below the CPU initated traffic.

As I said, it shouldn't be working for user auth either. If the WLC has a dynamic interface in the same subnet as a server, it uses that interface to initiate traffic, instead of the management interface. So unless you configured the RADIUS portion with the dynamic interface IP, and issued config network-mgmt-via-dynamic-interface enable, the WLC should drop any request from the server on the dynamic interface.

This seems to me like a contradictory statement from cisco. It is quite crazy to work like this for one type of authentication but work differently for another.

Also you write: "If the WLC has a dynamic interface in the same subnet as a server, it uses that interface to initiate traffic, instead of the management interface"

But in my case it uses NOT the dynamic interface but the management interface with the dynamic interface's IP!!!

Also, I'm not sure though what you mean "configured the RADIUS portion with the dynamic interface". The AAA server's IPs are on the same subnet as the dynamic interface and "Mgmt Via Dynamic Interface" is disabled.

For me the bottom line is that this is crazy behavior and I'm sure you agree with me here. I'm also afraid that I must raise a TAC support case with this.